Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LockFile Feature #1748

Closed
wants to merge 25 commits into from
Closed

LockFile Feature #1748

wants to merge 25 commits into from

Conversation

@kodypeterson
Copy link
Contributor

kodypeterson commented Mar 21, 2015

Based on #1592


  • bower.lock doesn't exist:
    • bower install creates bower.lock file only after all-successful non-production installation
    • bower install --production complains there's no bower.lock and exits
    • bower update acts as bower install
  • bower.lock exists dependenies in bower.json match those on bower.lock
    • bower install installs exact packages from bower.lock
    • bower install --production installs exact packages from bower.lock ignoring devDependencies
    • bower update is no-op
    • if installation would change bower.lock, it fails with error message
  • bower.lock exists and there are only extra dependencies in bower.json relative to bower.lock
    • bower install tries to install bower.lock with only new packages from bower.json added. Installation fails if old bower.lock is not a subset of new bower.lock.
    • bower install --production fails
    • bower update --all re-creates bower.lock
  • bower.lock` exists and dependencies in bower.json changed relative to bower.lock
    • bower install fails, and says you need to bower update first
    • bower install --production fails
    • bower update complains there's no package specified to update
    • bower update --all re-creates bower.lock
    • bower update tries to install bower.lock with version replaced with version from bower.json. Installation fails if old bower.lock is not a subset of new bower.lock (except updated package).
kodypeterson added 17 commits Mar 21, 2015
…dependencies in the existing lock file
…for save to update lockfile
@kodypeterson
Copy link
Contributor Author

kodypeterson commented Mar 25, 2015

@sheerun - So, when running bower update and nothing has yet to be installed, should a lock file be required as at that point it really acts like bower install?

@kodypeterson
Copy link
Contributor Author

kodypeterson commented Mar 26, 2015

@sheerun bump for the question above... 😄

@sheerun
Copy link
Contributor

sheerun commented Mar 27, 2015

@kodypeterson Sorry for the delay. Yes, indeed it should do the same as bower install :)

@kodypeterson
Copy link
Contributor Author

kodypeterson commented Mar 30, 2015

@sheerun any thoughts on the lock file being .bower.lock instead of bower.lock?

Just wondering if we really want to make it a non-dot file...

@kodypeterson
Copy link
Contributor Author

kodypeterson commented Mar 30, 2015

Also, I noticed that most of the update tests are invalid as they call tempDir.prepare({JSON}) after the install. Which .prepare will remove all of the contents in the directory.

So, when update runs, it is running against an empty directory with no dependencies installed, so it just acts like bower install 😦

@kodypeterson
Copy link
Contributor Author

kodypeterson commented Mar 30, 2015

How should bower link be handled, it in turn calls bower update? Should it follow the same rules as bower update?

@sheerun
Copy link
Contributor

sheerun commented Mar 30, 2015

bower link is totally separate thing. It just creates a symlink to some other directory.

I think we don't need to worry about it.

@kodypeterson
Copy link
Contributor Author

kodypeterson commented Mar 31, 2015

@Utsav2
Copy link
Member

Utsav2 commented Dec 13, 2015

@kodypeterson Great work on this.

As @sheerun mentioned before, is it possible to squash this into meaningful commits and rebase against master? It's hard to review in its current state.

@sheerun
Copy link
Contributor

sheerun commented Dec 13, 2015

@Utsav2 Could you do it instead and send another PR?

@Utsav2
Copy link
Member

Utsav2 commented Dec 14, 2015

@iBasit
Copy link

iBasit commented Jan 27, 2016

If you need any help with testing, please feel free to message me.

@shyiko
Copy link

shyiko commented Mar 13, 2016

For what it's worth shrinkwrap functionality is available using bower-shrinkwrap-resolver. You might find it useful until this PR gets merged in.

@kodypeterson
Copy link
Contributor Author

kodypeterson commented Aug 22, 2016

Alright @sheerun what are we going to do with this one? We missed the birthday celebration of this PR... Soon, it will be 2 years old.

It now has a bunch of conflicts, which I can work to resolve. Are the requirements above still accurate? If so, I can work to get a new PR started. If not, can we get a new issue opened with the correct requirements laid out so I can get to work on it. We need to get this functionality into bower.

It is very obvious the demand for it, and I am here to make it happen! Just let me know what I can do to get this going again!

PS: Sorry for dropping the ball on this PR, it sort of fell of my radar.

@sheerun
Copy link
Contributor

sheerun commented Aug 23, 2016

@kodypeterson To release it as quickly as possible we'd need to put it in current 1.x version of bower, and make it backward compatible (opt-in). What sounds reasonable is:

  • Squash all commits into one (it makes rebase easier)
  • Rebase this PR onto master
  • Add --lock flag to bower install to enable this feature when bower.json already exists
  • Add a warning if there isn't a lockfile available, prompting to use --lock flag
  • After bower.lock has been created, keep implemented behavior
  • Do not modify any existing tests and only create new ones (when bower.lock is present)
  • Make sure all current tests pass

If we ever release 2.0, we set --lock to be a default.

As for lock itself, I see it contains few extra keys we don't want, especially they contain absolute paths:

  • endpoint, canonicalDir
  "endpoint": {
    "name": "bower",
    "source": "/Users/sheerun/Source/Bower/bower",
    "target": "1.7.9"
  },
  "canonicalDir": "/Users/sheerun/Source/Bower/bower",

Also, we need to put version of bower it was packaged with to version key, plus additional behavior:

  • If bower minor version in bower.lock is greather than current bower version, refuse to install package, indicating that newer bower version is necessary.

I've also encountered an error when installing local package without bower.json:

Stack trace:
TypeError: Cannot read property 'pkgMeta' of undefined
    at /Users/sheerun/Source/Bower/bower/lib/util/lockFile.js:22:84
    at /Users/sheerun/Source/Bower/bower/node_modules/mout/object/forOwn.js:12:27

I can do more testing if we you manage to fix those. Thank you for being interested in continuing your work.

@sheerun
Copy link
Contributor

sheerun commented Aug 23, 2016

@kodypeterson Also, then I did "bower install angular-route", only "angular-route" got saved to bower.lock, while it should also contain "angular".

@kodypeterson
Copy link
Contributor Author

kodypeterson commented Aug 23, 2016

@sheerun I am on it, I will see what I can get through this weekend along with cleanup and such!

@kodypeterson
Copy link
Contributor Author

kodypeterson commented Aug 23, 2016

@Utsav2 awesome! i will see what I can get from that. I have a feeling that both being so long ago the merge process is going to be a rough one. I might just need to cherry pick manually the changes in and maybe reorganize a bit.

Thanks for the reference though!

@mcfilib
Copy link

mcfilib commented Oct 14, 2016

@kodypeterson need any help?

@sheerun
Copy link
Contributor

sheerun commented Oct 14, 2016

Maybe a better route is to fix bower support in https://yarnpkg.com/ that already has file locking

@mcfilib
Copy link

mcfilib commented Oct 14, 2016

@sheerun I'm not entirely sure how practical that is; we're using PureScript which leverages Bower for dependency management and it looks like support for Bower in Yarn is really just in its infancy e.g. yarnpkg/yarn#896.

Does this mean that you would no longer be willing to consider this patch?

@sheerun
Copy link
Contributor

sheerun commented Oct 14, 2016

Maybe we could at least adopt lockfile format of yarn?

@joelhandwell
Copy link

joelhandwell commented Mar 21, 2017

For those who want to use lock feature before this PR merged, bower-locker is a workaround to generate lockfile and commit only bower.json which is newly generated lock file and bower-locker.bower.json which is renamed original bower.json in your repo.

Run following commands to achieve it:

npm install bower-locker -g

or

yarn global add bower-locker

then generate lock file based on existing bower.json file by runing:

bower-locker lock

I want to express big thanks to @shawnlonas for writing this. Guys, let's give it stars if you find it useful https://github.com/infusionsoft/bower-locker

@kael-shipman
Copy link

kael-shipman commented Apr 12, 2017

Any news on this? Is it stalled out?

@twogee
Copy link

twogee commented Apr 12, 2017

Why is this PR open when there is #2100?

@sheerun
Copy link
Contributor

sheerun commented Mar 28, 2018

Bower is depreacted now and we recommend switching to Yarn that supports version locking and more. Here's guide how to migrate: https://bower.io/blog/2017/how-to-migrate-away-from-bower/

@sheerun sheerun closed this Mar 28, 2018
@bower bower locked as too heated and limited conversation to collaborators Mar 28, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

You can’t perform that action at this time.